|
Security Basics
mailing list archives
Re: DMZ Web Servers
From: krymson () gmail com
Date: Mon, 8 Sep 2008 12:55:32 -0600
Typically only traffic necessary for your web server to talk to the database server is necessary. This would be done on
the Network layer (tcp/udp ports), instead of MACs on the second layer. Allowing entire IPs to talk to each other is
too much.
I find that it is easiest to turn your firewall or router all the way closed and log denies. As you attempt to use the
database server from the web server, start opening up the IP/port combinations as necessary while remembering to also
check the same on the return path.
If, like a previous responder, you'd be worried about SQL injection, then you'd be worried about something beyond your
infrastructure layout.
(Fine, there are things you can put in between your web server and database server to alert on mischievous traffic
between the two, but I posit that solution is rare and not served when you [should] have that traffic encrypted anyway.)
<- snip ->
I would like to know any suggestions or ideas how some infrastructures
currently setup their Web Servers in the DMZ and connect back to an
Oracle or MSSQL backend on the inside. I was thinking of just allowing
specific IPs and MACs, but any other help would be greatly appreciated.
Thanks!
Rico
 By Date 
By Thread
Current thread:
- Re: Transmitting Sensitive Information between Servers, (continued)
RE: DMZ Web Servers Dan Lynch (Sep 08)
Re: DMZ Web Servers krymson (Sep 08)
Re: DMZ Web Servers David Glosser (Sep 10)
|
Intro
